I'm by no mean an expert in passwords/cyrpto and the like but it sounds to me that his idea of generating passwords from the service name and a master password is a good bad idea.
Basically, his passwords are made of two variable strings: one is the service (easy to guess if you're target a specific account, which in his case you must anyway) and a master password that likely doesn't vary much from one identity to another.
Doing this is basically opening the door to anybody who could gain access to his generation algorithm. I have no maths to back me up but I made a quick proof of concept that I ran against /usr/share/dict/words and managed to find one collision in ~100000 tests (I was generating passphrases though).
I'm going to keep on investigating and try to generate passwords instead of passphrases.
You've still got to do it right. If I phish your twitter account and discover your password is "twitter-iloveyoujane", you can bet I'm going to see if "facebook-iloveyoujane" will get me into your facebook account...
And I'd be astounded if there weren't already automated tools that do this for every website in the alexa top 1000...
Basically, his passwords are made of two variable strings: one is the service (easy to guess if you're target a specific account, which in his case you must anyway) and a master password that likely doesn't vary much from one identity to another.
Doing this is basically opening the door to anybody who could gain access to his generation algorithm. I have no maths to back me up but I made a quick proof of concept that I ran against /usr/share/dict/words and managed to find one collision in ~100000 tests (I was generating passphrases though).
I'm going to keep on investigating and try to generate passwords instead of passphrases.